There is a key question that Mr. Sookman asked that I wanted to document. He was asking whether I would support having a business where someone could purchase something that would only last for a few days, bringing up a possible example of a camera. I said that this is a "rental" and not a "purchase".

It may seem like I was splitting hairs, but the difference is fundamental to the debate. The rights and responsibilities, both as understood by the public and as governed by law, of each party in a vendor/purchaser transaction is entirely different from a rental transaction. It is the other party that is the property right holder in these two transactions, a critical distinction from the perspective of someone who is trying to protect property rights, and trying to have technology regulated such that technology protects -- rather than circumvents -- property rights.

When vendors want to use the word "sell", but where the purchaser is not intended to receive any property rights in what they have "purchased", the effect is for the vendor to keep all the benefits that would exist in both the selling and rental arrangements. This is clearly not a fair transaction given their customers receive none of the benefits that they would receive under either relationship. While I will not attribute to malice what could easily be attributed to other possibilities, I believe we need to challenge anyone who starts with a "wouldn't it be fair if we sold something at a lower price where you could only do ..." and demand that they separate the concepts of a purchase and a rental.

I don't know if it is bad form to comment on my own session, but a number of unexpected things happened that I wanted to write about. I would like to apologize for not adequately following some of the guidelines, such as not ensuring that there was a note taker and allowing a few people (primarily myself) to dominate the conversation.

When the topic "The Collateral Damage Of Rights Management" was announced I spoke with the host (who I need to out himself as I didn't manage to get his name in my notes) and we decided that since we both wanted to talk about issues with "DRM", and there were only a few time slots left, that we would merge and speak together.

As people were coming in I started to talk a bit about language. For instance, Access Copyright has a "Rights Management System" which is a great tool for documenting information about works (metadata) that makes it easier to trace who the author and copyright holder is for the works that they help manage. This is an entirely different concept from how we were using the term "Rights Management" as used in the term "Digital Rights Management".

We started the session with me holding up the CD and CD player and doing the "I have 4 things in my hand" as I wrote in the article Protecting property rights in a digital world. The co-host then spoke a bit about the new paths that content takes from producer to "consumer" in a world that has the new intermediary (or the replacement intermediary) introduced with "DRM". While I focused on the question of "who owns" or "who should own" each of the pieces of the puzzle (copyright, mechanical CD or other 'container', hardware, and software running on the hardware), the co-host focused on the many many problems that result when we allow other than the owner of the hardware to decide what software runs on that hardware (IE: whose rules the hardware is obeying).

We had many instances of language conflicts between communities. For instance, one participant mentioned that the term "Digital Rights Management" had been used in his community to talk about the full spectrum of tools used to help manage copyright, such as the "Rights Management System" that Access Copyright provides. He then said that the term "Technical Protection Measures" were used to refer to technologies that tried to "protect copyright".

The technical community uses these same terms in an entirely different way. Technical Protection Measures (TPMs) are used to refer to a full spectrum of technology tools that are used to protect something. The most often used and flexible tool is cryptography that uses interesting mathematics to protect the privacy, authenticity, integrity and other such aspects of information that is stored or communicated. One of the things communicated are credentials that are then used to grant access to computing facilities (cryptography used to protect the privacy of a password used to log into a website.

The term "Digital Rights Management" or "Digital Restrictions Management" are used to refer to a subset of uses of TPMs where the owner of some technology is considered the attacker of that technology. The technology is being used to ensure that the owner is not able to control the technology. An example are tools that come under the marketing term of "copy protection" or "copy control" which is software that runs on hardware that disallows the owner of the hardware from using that hardware to make copies of content.

Before the session my expectation would be that the participants would be people new to this topic, who had heard about "DRM" and what it is marketed to be able to do, but were not deep involved in the current debate about these controversial technologies. One of the participants of the session was Barry Sookman (I asked for and received permission to mention him by name). Mr. Sookman is an extremely accomplished lawyer who specializes in the area of software technology law. He is a partner with McCarthy Tétrault, and I recommend people glance at the profile on the firm's website to get an idea of his credentials.

We had met virtually and in person a number of times at the past, and I'm quite willing to admit in this WIKI that I felt a bit intimidated. While I may have many years of background in technology, including networking and cryptography, there are very few in Canada who can come close to Mr Sookman in this area of law. As much as I respect him and his credentials, we have often found ourselves on opposite sites of technology policy debates. Legal protection for technical measures, the very issue most opposed by that the technical community that the two hosts are from, is one of the policies which Mr. Sookman has been a fairly vocal supporter of.

I suspect the two of us had some back-and-forth dialogue that should have had a bit more background for the other participants to have been able to better participate in.

There is a key question that Mr. Sookman asked that I wanted to document. He was asking whether I would support having a business where someone could purchase something that would only last for a few days, bringing up a possible example of a camera. I said that this is a "rental" and not a "purchase".

It may seem like I was splitting hairs, but the difference is fundamental to the debate. The rights and responsibilities, both as understood by the public and as governed by law, of each party in a vendor/purchaser transaction is entirely different from a rental transaction. It is the other party that is the property right holder in these two transactions, a critical distinction from the perspective of someone who is trying to protect property rights, and trying to have technology regulated such that technology protects -- rather than circumvents -- property rights.

When vendors want to use the word "sell", but where the purchaser is not intended to receive any property rights in what they have "purchased", the effect is for the vendor to keep all the benefits that would exist in both the selling and rental arrangements. This is clearly not a fair transaction given their customers receive none of the benefits that they would receive under either relationship. While I will not attribute to malice what could easily be attributed to other possibilities, I believe we need to challenge anyone who starts with a "wouldn't it be fair if we sold something at a lower price where you could only do ..." and demand that they separate the concepts of a purchase and a rental.

We discussed how digital "content" is no more capable of making a decision (should the work be copied or not) than a paperback book is capable of reading itself out loud. TPMs applied to content can protect privacy, integrity, and authenticy, but cannot "make decisions". It is the software running on computing hardware that contains all of the rules. It is possible for digital content to include knowledge about the content, often called metadata, in much the same way as traditional books include information such as the ISBN, the author(s), the publisher, and other such information at the front of a book. Software running on hardware can use of this information in making decisions, but ultimately the rules that determine what hardware does is authored by the software author and not the copyright holder of works being accessed or manipulated by the software.

Another participant brought up the controvercy with the laws recently passed in France which demand interoperability. This came up in the discussion of the way in which most DRM systems worked. Some content would be encrypted such that a specific decryption key is needed. That decryption key would be embedded in software running on hardware, where this software would obey the instructions of the software author and not those of the owner of the hardware. Copyright holders need to trust the entities with keys, leaving them with a choice to either trust their customers or trust specific software vendors. If they trusted their customers they would deliver content encrypted to a key that the customer would have and could use in the hardware or software of their own choosing. If they only trusted specific software vendors, then the content could only be used in hardware that is running the trusted software.

If it is the software vendor that is trusted, the encryption key is being used to encode the content such that it is not interoperable with unauthorized software. This means that a "DRM" system where the copyright holder does not trust their audiences is by definition a system that is not interoperable between different software. This is why nobody is happy with the legislation that was passed in France. The DRM vendors correctly document that forcing interoperability breaks their DRM, and those who support interoperability are correctly documenting that legal protection for this type of technical protection measure breaks interoperability.

We spoke about how no DRM system can actually stop copyright infringement. In order to allow customers to enjoy the content in the privacy of their own homes, both the encrypted content and the decryption keys must be present in the home. This means that a technically sophisticated person who wants to infringe copyright only needs to make use of that decryption key, unlock the content, and then manipulate the content in the same way they would if the DRM did not exist. It only takes a single person out of the 6.5+ billion and growing people on the planet to decrypt any piece of content, and make it available to less technically sophisticated people, and the marketplace will act as if the DRM never existed.

The DRM vendors know this limitation of DRM systems, but claim that they create a "speed bump" that slows people down. While I believe that DRM systems slow down the lawful use of content by law abiding citizens, I have seen no evidence of any DRM that has slowed down infringement. If anything, the inconvenience of using content on a DRM system provides its own incentive to circumvent the DRM. If circumventing the DRM is itself illegal, there is then no incentive to obey copyright or pay the copyright holder given the activity of accessing the content on technology of our own choice is illegal. I strongly believe that DRM systems can only increase, not decrease, the rate of copyright infringement.

There were a large number of types of harm from DRM systems discussed. DRM systems enforce the rules that are encoded in the software, and these rules can go far beyond or even directly contradict the laws that it claims to be enforcing. DRM can disallow activities which are lawful under fair dealings, disabling appropriation art that would otherwise be legal. DRM systems also last longer than the term of copyright, disallowing the distributed versions of content to ever enter into the public domain.

DRM systems can enforce rules which violate privacy, contract, property, and even copyright law. Given in some cases circumventing DRM systems even for lawful purposes are illegal, it becomes very hard to investigate the rules being enforced to verify their enforceability or their legality.

Michael Geist offered a 30 Days of DRM series on his website where he picked 30 problems that DRM creates, with there being many more beyond the 30.

For those of us that are part of the Free/Libre and Open Source Software (FLOSS) community, DRM is a show-stopper for us. Our software is licensed such that it protects peoples right to run, copy, distribute, study, change and improve the software. If follows from these rights that it will strongly protect the ability of the owner of hardware to ensure that the software running on their computer protects their rights. Where these rights are protected it also means that it is not possible to implement a system that circumvents the rights of the owners of the hardware, such as intended by DRM systems. Content that is encrypted to keys that are embedded within DRM systems cannot be accessed with FLOSS without circumventing the technical measure used to disallow access via "unauthorized software".

Given DRM systems can't stop copyright infringement, which is their claimed purpose, and have a whole host of unintended consequences, it is surprising why there are still people who support it. While the lack of interoperability that these systems create offer benefit to the hardware vendors who are able to build a power anti-competitive monopoly, the rest of the economy -- including and especially other copyright holders -- pay the price.

We were left with the hardest question. If DRM is not a solution, then what is? This is unfortunately a topic far beyond what could happen in a 1 hour conversation. The purpose of this session was for two technical people to share with a larger community the lack of benefit and the large amount of collateral damage created by DRM systems. Other sessions were hosted that discussed many of the alternatives, including building better relationships with intended customers (people may "stick it to the man", but they don't stick it to their friends or people they are fans of), or explore alternative business strategies which don't depend on payment from those activities that are most likely to infringe (Examples: Open Access textbooks and journals, Free/Libre and Open Source Software, etc)